INTERNATIONAL ISO/IEC STANDARD 27034-7 First edition 2018-05 Information technology Application security - Part 7: Assurance prediction framework Technologies de I'information -Sécurite des applications- Partie 7:Cadre de lI'assurance d'une prédiction Reference number IEC IS0/IEC 27034-7:2018(E) tso @IS0/IEC2018 IS0/IEC27034-7:2018(E) COPYRIGHTPROTECTEDDOCUMENT @IS0/IEC2018 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below orIso's memberbody in the countryof therequester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier,Geneva Phone:+41227490111 Fax:+41 22 749 09 47 Email:
[email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2018 -All rights reserved IS0/IEC27034-7:2018(E) Contents Page Foreword ..V 0 Introduction ...vi 1 Scope. 2 Normativereferences 3 Terms and definitions 4 Abbreviatedterms 5 Prediction concepts. .3 5.1 Goal of prediction .3 5.2 Prediction framework ..4 5.3 Expected Level of Trust .4 5.3.1 Concept 5.3.2 Expectedlevel oftrustintheONF ..5 5.3.3 Expectedlevel oftrustintheANF ..6 5.3.4 ASC data in the ANF .7 5.3.5 Expectedleveloftrustoversequenceofapplicationversions .8 5.4 Principles. .10 5.4.1 IS0/IEC27034-1principles .10 5.4.2 Appropriateinvestmentforapplication securityprinciple .10 5.4.3 Application securityshould bedemonstrated principle. .10 5.5 Prediction authorization. ..10 5.5.1 Prediction accountability ..10 5.5.2 Forced authorization. ..11 5.6 Claims relativeto the actual level of trust ..11 6 Predictions. ..11 6.1 Prediction initiator. .11 6.2 Predictioncircumstances .12 6.2.1 Typical circumstance ..12 6.2.2 Relationshiptolevelof trust. ..12 6.3 Prediction consumer. ..12 7 Substantial changes. ..13 7.1 Definition discussion ..13 7.2 Guidance for substantial changes risk analysis ..13 7.2.1 General .13 7.2.2 Code change and static analysis. .13 7.2.3 Architecturalreview. ..14 7.2.4 Deprecation oftests overtime. .14 8 Confidence ..14 8.1 Confidence building blocks ..14 8.2 Establishing confidence. ..14 9 Predictionapplicationsecurityrationale ..15 9.1 Linkage to ASC ..15 9.2 Components. ..15 9.3 Format .16 9.3.1 Identifiers,actors,AsCsoutcomes ..16 9.3.2 Rationale. .16 9.3.3 Duplication of information ..16 9.3.4 Assurance cases ..16 9.4 Approval byONFCommittee ..16 9.5 Use of RACI charts in description ofactivities, roles, and responsibilities .17 10 PASR audit .17 @ IS0/IEC 2018 - All rights reserved iii
ISO IEC 27034-7 2018 Information technology — Application security — Part 7 Assurance prediction framework
文档预览
中文文档
38 页
50 下载
1000 浏览
0 评论
309 收藏
3.0分
温馨提示:本文档共38页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 人生无常 于 2024-08-10 16:31:32上传分享